Go to DBLP homepageHyperMD: A Multi-Modal Malware Detection Method Using Performance Counters and Process Memory on Xen Platform
Abstract: Traditional malware detection techniques often struggle against the sophisticated obfuscation methods employed by modern malware. To address this challenge, this paper proposes HyperMD, a multi-modal malware detection method that leverages Xen as the malware analysis platform. HyperMD detects malware by using time-series Xen performance counter data collected at the hypervisor layer while running samples in a virtual machine (VM). Additionally, it incorporates an out-of-VM runtime process memory dump module to capture the target process’s memory. The acquired memory snapshots are then converted into images using SimHash. Finally, HyperMD fuses features from both time-series data and memory images to train a multi-modal deep learning model. We evaluated HyperMD using a dataset collected from VirusTotal and VirusShare, comprising sophisticated samples designed to evade detection or trigger false alarms. HyperMD achieves an accuracy of 97.53%, demonstrating its effectiveness in detecting rootkits and process injection malware. This proposed method can help detect obfuscated malware due to the utilization of hypervisor-layer features. Furthermore, HyperMD demonstrates a classification accuracy of 97.56% for five different malware families. The performance of HyperMD is also compared with other state-of-the-art static and dynamic detection methods, which further demonstrates the advantages of HyperMD. The robustness, resilience and scalability of HyperMD are also evaluated.
External IDs:dblp:journals/tifs/WangZXYMJ25
Loading